Field of the Invention
The present invention relates generally to computer networking and computer software.
Description of the Background Art
Personal computers and network clients are vulnerable to a broad variety of viruses and other security attacks. Individual systems succumbing to a virus attack can threaten other systems and overall network integrity, leading to lost user productivity and business. Many of these threats are present even when the client systems reside behind a network firewall, such as in an internal network within an organization. A typical sequence of events leading up to a virus attack is shown in FIG. 1A. The attack sequence begins with the discovery of a vulnerability (either in an operating system, utility, or application) (101), which may lead unscrupulous authors to create viruses that exploit that vulnerability (102). These viruses are then launched and spread among vulnerable systems (103). At that point, various commercial or public agencies begin to identify an attack and the specific virus responsible for the attack, but frequently the attack is already underway and damage or losses have already been incurred (104).
A traditional protection sequence 150 for providing anti-virus security is depicted in FIG. 1B. This traditional method 150 begins after a vulnerability has been discovered (101), viruses exploiting the vulnerability have been created (102) and launched (103), and a specific virus is discovered or identified (104). The specific virus is then analyzed (105) such that a virus signature is determined (106). These ‘signatures’ often rely on a physical disk or memory ‘footprint’ of the specific virus' object code. These virus ‘signatures’ are then distributed to populations of computer users (107), where users can then employ signature-based scanning of their systems (108) to detect the presence of the virus and allow removal. While somewhat effective, this traditional method leaves user organizations exposed to damage or loss between the point in time from when a vulnerability is discovered (101), and the point where all users have employed the signature-based scanning (108) to rid their systems of the threat. This interval is labeled in FIG. 1B as a ‘vulnerability gap’ (110). This traditional approach is also subject to variants of viruses that may exploit the same vulnerability but exhibit a different object code ‘footprint’ or signature and thereby escape detection until these variants are identified and their additional signature determined, the signatures distributed, and users utilize the new signatures in their scanning for viruses.